def test_db_authenticate_threaded(self): db = client_context.client.db coll = db.test coll.drop() coll.insert_one({'_id': 1}) client_context.create_user( 'db', 'user', 'pass', roles=['dbOwner']) self.addCleanup(db.command, 'dropUser', 'user') db = rs_or_single_client_noauth().db db.authenticate('user', 'pass') # No error. db.authenticate('user', 'pass') db = rs_or_single_client_noauth().db threads = [] for _ in range(4): threads.append(DBAuthenticateThread(db, 'user', 'pass')) for thread in threads: thread.start() for thread in threads: thread.join() self.assertTrue(thread.success)
def test_auth_from_uri(self): self.client.admin.add_user("admin", "pass", roles=["root"]) self.addCleanup(self.client.admin.remove_user, "admin") self.addCleanup(remove_all_users, self.client.pymongo_test) self.client.pymongo_test.add_user("user", "pass", roles=["userAdmin", "readWrite"]) with self.assertRaises(OperationFailure): connected(rs_or_single_client("mongodb://*****:*****@%s:%d" % (host, port))) # No error. connected(rs_or_single_client_noauth("mongodb://*****:*****@%s:%d" % (host, port))) # Wrong database. uri = "mongodb://*****:*****@%s:%d/pymongo_test" % (host, port) with self.assertRaises(OperationFailure): connected(rs_or_single_client(uri)) # No error. connected(rs_or_single_client_noauth("mongodb://*****:*****@%s:%d/pymongo_test" % (host, port))) # Auth with lazy connection. rs_or_single_client( "mongodb://*****:*****@%s:%d/pymongo_test" % (host, port), connect=False ).pymongo_test.test.find_one() # Wrong password. bad_client = rs_or_single_client("mongodb://*****:*****@%s:%d/pymongo_test" % (host, port), connect=False) self.assertRaises(OperationFailure, bad_client.pymongo_test.test.find_one)
def test_make_user_readonly(self): extra = {} if client_context.version.at_least(3, 7, 2): extra['mechanisms'] = ['SCRAM-SHA-1'] # "self.client" is logged in as root. auth_db = self.client.pymongo_test # Make a read-write user. auth_db.add_user('jesse', 'pw', **extra) self.addCleanup(remove_all_users, auth_db) # Check that we're read-write by default. c = rs_or_single_client_noauth(username='******', password='******', authSource='pymongo_test') c.pymongo_test.collection.insert_one({}) # Make the user read-only. auth_db.add_user('jesse', 'pw', read_only=True, **extra) c = rs_or_single_client_noauth(username='******', password='******', authSource='pymongo_test') self.assertRaises(OperationFailure, c.pymongo_test.collection.insert_one, {})
def test_scram_sha1(self): host, port = client_context.host, client_context.port with ignore_deprecations(): client = rs_or_single_client_noauth() self.assertTrue( client.pymongo_test.authenticate('user', 'pass', mechanism='SCRAM-SHA-1')) client.pymongo_test.command('dbstats') client = rs_or_single_client_noauth( 'mongodb://*****:*****@%s:%d/pymongo_test?authMechanism=SCRAM-SHA-1' % (host, port)) client.pymongo_test.command('dbstats') if client_context.is_rs: uri = ('mongodb://*****:*****@%s:%d/pymongo_test?authMechanism=SCRAM-SHA-1' '&replicaSet=%s' % (host, port, client_context.replica_set_name)) client = single_client_noauth(uri) client.pymongo_test.command('dbstats') db = client.get_database('pymongo_test', read_preference=ReadPreference.SECONDARY) db.command('dbstats')
def test_make_user_readonly(self): # "self.client" is logged in as root. auth_db = self.client.pymongo_test # Make a read-write user. auth_db.add_user('jesse', 'pw') self.addCleanup(remove_all_users, auth_db) # Check that we're read-write by default. c = rs_or_single_client_noauth(username='******', password='******', authSource='pymongo_test') c.pymongo_test.collection.insert_one({}) # Make the user read-only. auth_db.add_user('jesse', 'pw', read_only=True) c = rs_or_single_client_noauth(username='******', password='******', authSource='pymongo_test') self.assertRaises(OperationFailure, c.pymongo_test.collection.insert_one, {})
def test_scram_saslprep(self): # Step 4: test SASLprep host, port = client_context.host, client_context.port # Test the use of SASLprep on passwords. For example, # saslprep('\u2136') becomes 'IV' and saslprep('I\u00ADX') # becomes 'IX'. SASLprep is only supported when the standard # library provides stringprep. client_context.create_user( 'testscram', '\u2168', '\u2163', roles=['dbOwner'], mechanisms=['SCRAM-SHA-256']) client_context.create_user( 'testscram', 'IX', 'IX', roles=['dbOwner'], mechanisms=['SCRAM-SHA-256']) client = rs_or_single_client_noauth( username='******', password='******', authSource='testscram') client.testscram.command('dbstats') client = rs_or_single_client_noauth( username='******', password='******', authSource='testscram', authMechanism='SCRAM-SHA-256') client.testscram.command('dbstats') client = rs_or_single_client_noauth( username='******', password='******', authSource='testscram') client.testscram.command('dbstats') client = rs_or_single_client_noauth( username='******', password='******', authSource='testscram') client.testscram.command('dbstats') client = rs_or_single_client_noauth( username='******', password='******', authSource='testscram', authMechanism='SCRAM-SHA-256') client.testscram.command('dbstats') client = rs_or_single_client_noauth( username='******', password='******', authSource='testscram', authMechanism='SCRAM-SHA-256') client.testscram.command('dbstats') client = rs_or_single_client_noauth( 'mongodb://\u2168:\u2163@%s:%d/testscram' % (host, port)) client.testscram.command('dbstats') client = rs_or_single_client_noauth( 'mongodb://\u2168:IV@%s:%d/testscram' % (host, port)) client.testscram.command('dbstats') client = rs_or_single_client_noauth( 'mongodb://*****:*****@%s:%d/testscram' % (host, port)) client.testscram.command('dbstats') client = rs_or_single_client_noauth( 'mongodb://*****:*****@%s:%d/testscram' % (host, port)) client.testscram.command('dbstats')
def test_uri_options(self): # Test default to admin host, port = client_context.host, client_context.port client = rs_or_single_client_noauth( 'mongodb://*****:*****@%s:%d' % (host, port)) self.assertTrue(client.admin.command('dbstats')) if client_context.is_rs: uri = ('mongodb://*****:*****@%s:%d/?replicaSet=%s' % ( host, port, client_context.replica_set_name)) client = single_client_noauth(uri) self.assertTrue(client.admin.command('dbstats')) db = client.get_database( 'admin', read_preference=ReadPreference.SECONDARY) self.assertTrue(db.command('dbstats')) # Test explicit database uri = 'mongodb://*****:*****@%s:%d/pymongo_test' % (host, port) client = rs_or_single_client_noauth(uri) self.assertRaises(OperationFailure, client.admin.command, 'dbstats') self.assertTrue(client.pymongo_test.command('dbstats')) if client_context.is_rs: uri = ('mongodb://*****:*****@%s:%d/pymongo_test?replicaSet=%s' % ( host, port, client_context.replica_set_name)) client = single_client_noauth(uri) self.assertRaises(OperationFailure, client.admin.command, 'dbstats') self.assertTrue(client.pymongo_test.command('dbstats')) db = client.get_database( 'pymongo_test', read_preference=ReadPreference.SECONDARY) self.assertTrue(db.command('dbstats')) # Test authSource uri = ('mongodb://*****:*****@%s:%d' '/pymongo_test2?authSource=pymongo_test' % (host, port)) client = rs_or_single_client_noauth(uri) self.assertRaises(OperationFailure, client.pymongo_test2.command, 'dbstats') self.assertTrue(client.pymongo_test.command('dbstats')) if client_context.is_rs: uri = ('mongodb://*****:*****@%s:%d/pymongo_test2?replicaSet=' '%s;authSource=pymongo_test' % ( host, port, client_context.replica_set_name)) client = single_client_noauth(uri) self.assertRaises(OperationFailure, client.pymongo_test2.command, 'dbstats') self.assertTrue(client.pymongo_test.command('dbstats')) db = client.get_database( 'pymongo_test', read_preference=ReadPreference.SECONDARY) self.assertTrue(db.command('dbstats'))
def test_uri_options(self): # Test default to admin host, port = client_context.host, client_context.port client = rs_or_single_client_noauth('mongodb://*****:*****@%s:%d' % (host, port)) self.assertTrue(client.admin.command('dbstats')) if client_context.is_rs: uri = ('mongodb://*****:*****@%s:%d/?replicaSet=%s' % (host, port, client_context.replica_set_name)) client = single_client_noauth(uri) self.assertTrue(client.admin.command('dbstats')) db = client.get_database('admin', read_preference=ReadPreference.SECONDARY) self.assertTrue(db.command('dbstats')) # Test explicit database uri = 'mongodb://*****:*****@%s:%d/pymongo_test' % (host, port) client = rs_or_single_client_noauth(uri) self.assertRaises(OperationFailure, client.admin.command, 'dbstats') self.assertTrue(client.pymongo_test.command('dbstats')) if client_context.is_rs: uri = ('mongodb://*****:*****@%s:%d/pymongo_test?replicaSet=%s' % (host, port, client_context.replica_set_name)) client = single_client_noauth(uri) self.assertRaises(OperationFailure, client.admin.command, 'dbstats') self.assertTrue(client.pymongo_test.command('dbstats')) db = client.get_database('pymongo_test', read_preference=ReadPreference.SECONDARY) self.assertTrue(db.command('dbstats')) # Test authSource uri = ('mongodb://*****:*****@%s:%d' '/pymongo_test2?authSource=pymongo_test' % (host, port)) client = rs_or_single_client_noauth(uri) self.assertRaises(OperationFailure, client.pymongo_test2.command, 'dbstats') self.assertTrue(client.pymongo_test.command('dbstats')) if client_context.is_rs: uri = ('mongodb://*****:*****@%s:%d/pymongo_test2?replicaSet=' '%s;authSource=pymongo_test' % (host, port, client_context.replica_set_name)) client = single_client_noauth(uri) self.assertRaises(OperationFailure, client.pymongo_test2.command, 'dbstats') self.assertTrue(client.pymongo_test.command('dbstats')) db = client.get_database('pymongo_test', read_preference=ReadPreference.SECONDARY) self.assertTrue(db.command('dbstats'))
def test_multiple_logins(self): self.client.pymongo_test.add_user('user1', 'pass', roles=['readWrite']) self.client.pymongo_test.add_user('user2', 'pass', roles=['readWrite']) self.addCleanup(remove_all_users, self.client.pymongo_test) client = rs_or_single_client_noauth( "mongodb://*****:*****@%s:%d/pymongo_test" % (host, port)) client.pymongo_test.test.find_one() with self.assertRaises(OperationFailure): # Can't log in to the same database with multiple users. client.pymongo_test.authenticate('user2', 'pass') client.pymongo_test.test.find_one() client.pymongo_test.logout() with self.assertRaises(OperationFailure): client.pymongo_test.test.find_one() client.pymongo_test.authenticate('user2', 'pass') client.pymongo_test.test.find_one() with self.assertRaises(OperationFailure): client.pymongo_test.authenticate('user1', 'pass') client.pymongo_test.test.find_one()
def check_auth(username, password): c = rs_or_single_client_noauth( username=username, password=password, authSource="pymongo_test") c.pymongo_test.collection.find_one()
def test_delegated_auth(self): self.client.pymongo_test2.foo.drop() self.client.pymongo_test2.foo.insert_one({}) # User definition with no roles in pymongo_test. self.client.pymongo_test.add_user('user', 'pass', roles=[]) # Delegate auth to pymongo_test. self.client.pymongo_test2.add_user('user', userSource='pymongo_test', roles=['read']) auth_c = rs_or_single_client_noauth() self.assertRaises(OperationFailure, auth_c.pymongo_test2.foo.find_one) # Auth must occur on the db where the user is defined. self.assertRaises(OperationFailure, auth_c.pymongo_test2.authenticate, 'user', 'pass') # Auth directly self.assertTrue(auth_c.pymongo_test.authenticate('user', 'pass')) self.assertTrue(auth_c.pymongo_test2.foo.find_one()) auth_c.pymongo_test.logout() self.assertRaises(OperationFailure, auth_c.pymongo_test2.foo.find_one) # Auth using source self.assertTrue( auth_c.pymongo_test2.authenticate('user', 'pass', source='pymongo_test')) self.assertTrue(auth_c.pymongo_test2.foo.find_one()) # Must logout from the db authenticate was called on. auth_c.pymongo_test2.logout() self.assertRaises(OperationFailure, auth_c.pymongo_test2.foo.find_one)
def test_delegated_auth(self): self.client.pymongo_test2.foo.drop() self.client.pymongo_test2.foo.insert_one({}) # User definition with no roles in pymongo_test. self.client.pymongo_test.add_user('user', 'pass', roles=[]) # Delegate auth to pymongo_test. self.client.pymongo_test2.add_user('user', userSource='pymongo_test', roles=['read']) auth_c = rs_or_single_client_noauth() self.assertRaises(OperationFailure, auth_c.pymongo_test2.foo.find_one) # Auth must occur on the db where the user is defined. self.assertRaises(OperationFailure, auth_c.pymongo_test2.authenticate, 'user', 'pass') # Auth directly self.assertTrue(auth_c.pymongo_test.authenticate('user', 'pass')) self.assertTrue(auth_c.pymongo_test2.foo.find_one()) auth_c.pymongo_test.logout() self.assertRaises(OperationFailure, auth_c.pymongo_test2.foo.find_one) # Auth using source self.assertTrue(auth_c.pymongo_test2.authenticate( 'user', 'pass', source='pymongo_test')) self.assertTrue(auth_c.pymongo_test2.foo.find_one()) # Must logout from the db authenticate was called on. auth_c.pymongo_test2.logout() self.assertRaises(OperationFailure, auth_c.pymongo_test2.foo.find_one)
def test_scram_skip_empty_exchange(self): listener = WhiteListEventListener("saslStart", "saslContinue") client_context.create_user('testscram', 'sha256', 'pwd', roles=['dbOwner'], mechanisms=['SCRAM-SHA-256']) client = rs_or_single_client_noauth(username='******', password='******', authSource='testscram', event_listeners=[listener]) client.testscram.command('dbstats') if client_context.version < (4, 4, -1): # Assert we sent the skipEmptyExchange option. first_event = listener.results['started'][0] self.assertEqual(first_event.command_name, 'saslStart') self.assertEqual(first_event.command['options'], {'skipEmptyExchange': True}) # Assert the third exchange was skipped on servers that support it. # Note that the first exchange occurs on the connection handshake. started = listener.started_command_names() if client_context.version.at_least(4, 4, -1): self.assertEqual(started, ['saslContinue']) else: self.assertEqual(started, ['saslStart', 'saslContinue', 'saslContinue'])
def test_readonly(self): # We test that an authorization failure aborts the batch and is raised # as OperationFailure. cli = rs_or_single_client_noauth(username='******', password='******', authSource='pymongo_test') coll = cli.pymongo_test.test coll.find_one() self.assertRaises(OperationFailure, coll.bulk_write, [InsertOne({'x': 1})])
def test_readonly(self): # We test that an authorization failure aborts the batch and is raised # as OperationFailure. cli = rs_or_single_client_noauth() db = cli.pymongo_test coll = db.test db.authenticate('readonly', 'pw') bulk = coll.initialize_ordered_bulk_op() bulk.insert({'x': 1}) self.assertRaises(OperationFailure, bulk.execute)
def test_readonly(self): # We test that an authorization failure aborts the batch and is raised # as OperationFailure. cli = rs_or_single_client_noauth(username='******', password='******', authSource='pymongo_test') coll = cli.pymongo_test.test bulk = coll.initialize_ordered_bulk_op() bulk.insert({'x': 1}) self.assertRaises(OperationFailure, bulk.execute)
def test_authenticate_multiple(self): extra = {} if client_context.version.at_least(3, 7, 2): extra['mechanisms'] = ['SCRAM-SHA-1'] # "self.client" is logged in as root. self.client.drop_database("pymongo_test") self.client.drop_database("pymongo_test1") admin_db_auth = self.client.admin users_db_auth = self.client.pymongo_test # Non-root client. client = rs_or_single_client_noauth() admin_db = client.admin users_db = client.pymongo_test other_db = client.pymongo_test1 self.assertRaises(OperationFailure, users_db.test.find_one) admin_db_auth.add_user( 'ro-admin', 'pass', roles=["userAdmin", "readAnyDatabase"], **extra) self.addCleanup(client_context.drop_user, 'admin', 'ro-admin') users_db_auth.add_user( 'user', 'pass', roles=["userAdmin", "readWrite"], **extra) self.addCleanup(remove_all_users, users_db_auth) # Regular user should be able to query its own db, but # no other. users_db.authenticate('user', 'pass') self.assertEqual(0, users_db.test.count()) self.assertRaises(OperationFailure, other_db.test.find_one) # Admin read-only user should be able to query any db, # but not write. admin_db.authenticate('ro-admin', 'pass') self.assertEqual(None, other_db.test.find_one()) self.assertRaises(OperationFailure, other_db.test.insert_one, {}) # Close all sockets. client.close() # We should still be able to write to the regular user's db. self.assertTrue(users_db.test.delete_many({})) # And read from other dbs... self.assertEqual(0, other_db.test.count()) # But still not write to other dbs. self.assertRaises(OperationFailure, other_db.test.insert_one, {})
def test_auth_from_uri(self): self.client.admin.add_user("admin", "pass", roles=["root"]) self.addCleanup(self.client.admin.remove_user, 'admin') self.addCleanup(remove_all_users, self.client.pymongo_test) self.client.pymongo_test.add_user("user", "pass", roles=['userAdmin', 'readWrite']) with self.assertRaises(OperationFailure): connected(rs_or_single_client("mongodb://*****:*****@%s:%d" % (host, port))) # No error. connected( rs_or_single_client_noauth("mongodb://*****:*****@%s:%d" % (host, port))) # Wrong database. uri = "mongodb://*****:*****@%s:%d/pymongo_test" % (host, port) with self.assertRaises(OperationFailure): connected(rs_or_single_client(uri)) # No error. connected( rs_or_single_client_noauth( "mongodb://*****:*****@%s:%d/pymongo_test" % (host, port))) # Auth with lazy connection. rs_or_single_client("mongodb://*****:*****@%s:%d/pymongo_test" % (host, port), connect=False).pymongo_test.test.find_one() # Wrong password. bad_client = rs_or_single_client( "mongodb://*****:*****@%s:%d/pymongo_test" % (host, port), connect=False) self.assertRaises(OperationFailure, bad_client.pymongo_test.test.find_one)
def test_scram_sha1(self): host, port = client_context.host, client_context.port client = rs_or_single_client_noauth() self.assertTrue(client.pymongo_test.authenticate( 'user', 'pass', mechanism='SCRAM-SHA-1')) client.pymongo_test.command('dbstats') client = rs_or_single_client_noauth( 'mongodb://*****:*****@%s:%d/pymongo_test?authMechanism=SCRAM-SHA-1' % (host, port)) client.pymongo_test.command('dbstats') if client_context.is_rs: uri = ('mongodb://*****:*****@%s:%d/pymongo_test?authMechanism=SCRAM-SHA-1' '&replicaSet=%s' % (host, port, client_context.replica_set_name)) client = single_client_noauth(uri) client.pymongo_test.command('dbstats') db = client.get_database( 'pymongo_test', read_preference=ReadPreference.SECONDARY) db.command('dbstats')
def test_gridfs_readonly(self): # "self.client" is logged in as root. Make a read-only user. auth_db = self.client.test_gridfs_readonly auth_db.add_user('readonly', 'pw', readOnly=True) self.addCleanup(remove_all_users, auth_db) db = rs_or_single_client_noauth().test_gridfs_readonly db.authenticate('readonly', 'pw') fs = gridfs.GridFS(db) file = fs.new_file() file._ensure_index() fs.list()
def test_authenticate_multiple(self): # "self.client" is logged in as root. self.client.drop_database("pymongo_test") self.client.drop_database("pymongo_test1") admin_db_auth = self.client.admin users_db_auth = self.client.pymongo_test # Non-root client. client = rs_or_single_client_noauth() admin_db = client.admin users_db = client.pymongo_test other_db = client.pymongo_test1 self.assertRaises(OperationFailure, users_db.test.find_one) if client_context.version.at_least(2, 5, 3, -1): admin_db_auth.add_user('ro-admin', 'pass', roles=["userAdmin", "readAnyDatabase"]) else: admin_db_auth.add_user('ro-admin', 'pass', read_only=True) self.addCleanup(admin_db_auth.remove_user, 'ro-admin') users_db_auth.add_user('user', 'pass', roles=["userAdmin", "readWrite"]) self.addCleanup(remove_all_users, users_db_auth) # Regular user should be able to query its own db, but # no other. users_db.authenticate('user', 'pass') self.assertEqual(0, users_db.test.count()) self.assertRaises(OperationFailure, other_db.test.find_one) # Admin read-only user should be able to query any db, # but not write. admin_db.authenticate('ro-admin', 'pass') self.assertEqual(None, other_db.test.find_one()) self.assertRaises(OperationFailure, other_db.test.insert_one, {}) # Close all sockets. client.close() # We should still be able to write to the regular user's db. self.assertTrue(users_db.test.delete_many({})) # And read from other dbs... self.assertEqual(0, other_db.test.count()) # But still not write to other dbs. self.assertRaises(OperationFailure, other_db.test.insert_one, {})
def test_no_remove(self): # We test that an authorization failure aborts the batch and is raised # as OperationFailure. cli = rs_or_single_client_noauth(username='******', password='******', authSource='pymongo_test') coll = cli.pymongo_test.test bulk = coll.initialize_ordered_bulk_op() bulk.insert({'x': 1}) bulk.find({'x': 2}).upsert().replace_one({'x': 2}) bulk.find({}).remove() # Prohibited. bulk.insert({'x': 3}) # Never attempted. self.assertRaises(OperationFailure, bulk.execute) self.assertEqual(set([1, 2]), set(self.coll.distinct('x')))
def test_no_remove(self): # We test that an authorization failure aborts the batch and is raised # as OperationFailure. cli = rs_or_single_client_noauth() db = cli.pymongo_test coll = db.test db.authenticate('noremove', 'pw') bulk = coll.initialize_ordered_bulk_op() bulk.insert({'x': 1}) bulk.find({'x': 2}).upsert().replace_one({'x': 2}) bulk.find({}).remove() # Prohibited. bulk.insert({'x': 3}) # Never attempted. self.assertRaises(OperationFailure, bulk.execute) self.assertEqual(set([1, 2]), set(self.coll.distinct('x')))
def test_no_remove(self): # We test that an authorization failure aborts the batch and is raised # as OperationFailure. cli = rs_or_single_client_noauth(username='******', password='******', authSource='pymongo_test') coll = cli.pymongo_test.test coll.find_one() requests = [ InsertOne({'x': 1}), ReplaceOne({'x': 2}, {'x': 2}, upsert=True), DeleteMany({}), # Prohibited. InsertOne({'x': 3}), # Never attempted. ] self.assertRaises(OperationFailure, coll.bulk_write, requests) self.assertEqual(set([1, 2]), set(self.coll.distinct('x')))
def setUp(self): client_context.client.admin.add_user('admin', 'pass', roles=['userAdminAnyDatabase', 'dbAdminAnyDatabase', 'readWriteAnyDatabase', 'clusterAdmin']) client = rs_or_single_client_noauth(username='******', password='******') client.pymongo_test.add_user('user', 'pass', roles=['userAdmin', 'readWrite']) if client_context.is_rs: # Make sure the admin user is replicated after calling add_user # above. This avoids a race in the replica set tests below. client.admin.command('getLastError', w=client_context.w) self.client = client
def setUp(self): client = rs_or_single_client_noauth() client_context.client.admin.add_user('admin', 'pass', roles=['userAdminAnyDatabase', 'dbAdminAnyDatabase', 'readWriteAnyDatabase', 'clusterAdmin']) client.admin.authenticate('admin', 'pass') client.pymongo_test.add_user('user', 'pass', roles=['userAdmin', 'readWrite']) if client_context.is_rs: # Make sure the admin user is replicated after calling add_user # above. This avoids a race in the replica set tests below. client.admin.command('getLastError', w=client_context.w) self.client = client
def test_ipv6(self): if client_context.auth_enabled: auth_str = "%s:%s@" % (db_user, db_pwd) else: auth_str = "" uri = "mongodb://%s[::1]:%d" % (auth_str, port) if client_context.is_rs: uri += '/?replicaSet=' + client_context.replica_set_name client = rs_or_single_client_noauth(uri) client.pymongo_test.test.insert_one({"dummy": u("object")}) client.pymongo_test_bernie.test.insert_one({"dummy": u("object")}) dbs = client.database_names() self.assertTrue("pymongo_test" in dbs) self.assertTrue("pymongo_test_bernie" in dbs)
def test_new_user_cmds(self): # "self.client" is logged in as root. auth_db = self.client.pymongo_test auth_db.add_user("amalia", "password", roles=["userAdmin"]) self.addCleanup(auth_db.remove_user, "amalia") db = rs_or_single_client_noauth().pymongo_test db.authenticate("amalia", "password") # This tests the ability to update user attributes. db.add_user("amalia", "new_password", customData={"secret": "koalas"}) user_info = db.command("usersInfo", "amalia") self.assertTrue(user_info["users"]) amalia_user = user_info["users"][0] self.assertEqual(amalia_user["user"], "amalia") self.assertEqual(amalia_user["customData"], {"secret": "koalas"})
def test_auto_auth_login(self): client = rs_or_single_client_noauth() self.assertRaises(OperationFailure, client.auth_test.test.find_one) # Admin auth client.admin.authenticate(db_user, db_pwd) nthreads = 10 threads = [] for _ in range(nthreads): t = AutoAuthenticateThreads(client.auth_test.test, 10) t.start() threads.append(t) joinall(threads) for t in threads: self.assertTrue(t.success)
def test_make_user_readonly(self): # "self.client" is logged in as root. auth_db = self.client.pymongo_test db = rs_or_single_client_noauth().pymongo_test # Make a read-write user. auth_db.add_user('jesse', 'pw') self.addCleanup(remove_all_users, auth_db) # Check that we're read-write by default. db.authenticate('jesse', 'pw') db.collection.insert_one({}) db.logout() # Make the user read-only. auth_db.add_user('jesse', 'pw', read_only=True) db.authenticate('jesse', 'pw') self.assertRaises(OperationFailure, db.collection.insert_one, {})
def test_auto_auth_login(self): # Create the database upfront to workaround SERVER-39167. self.client.auth_test.test.insert_one({}) self.addCleanup(self.client.drop_database, "auth_test") client = rs_or_single_client_noauth() self.assertRaises(OperationFailure, client.auth_test.test.find_one) # Admin auth client.admin.authenticate(db_user, db_pwd) nthreads = 10 threads = [] for _ in range(nthreads): t = AutoAuthenticateThreads(client.auth_test.test, 10) t.start() threads.append(t) joinall(threads) for t in threads: self.assertTrue(t.success)
def test_new_user_cmds(self): extra = {} if client_context.version.at_least(3, 7, 2): extra['mechanisms'] = ['SCRAM-SHA-1'] # "self.client" is logged in as root. auth_db = self.client.pymongo_test auth_db.add_user("amalia", "password", roles=["userAdmin"], **extra) self.addCleanup(client_context.drop_user, "pymongo_test", "amalia") db = rs_or_single_client_noauth(username="******", password="******", authSource="pymongo_test").pymongo_test # This tests the ability to update user attributes. db.add_user("amalia", "new_password", customData={"secret": "koalas"}, **extra) user_info = db.command("usersInfo", "amalia") self.assertTrue(user_info["users"]) amalia_user = user_info["users"][0] self.assertEqual(amalia_user["user"], "amalia") self.assertEqual(amalia_user["customData"], {"secret": "koalas"})
def test_authenticate_multiple(self): # "self.client" is logged in as root. self.client.drop_database("pymongo_test") self.client.drop_database("pymongo_test1") admin_db_auth = self.client.admin users_db_auth = self.client.pymongo_test admin_db_auth.add_user('ro-admin', 'pass', roles=["userAdmin", "readAnyDatabase"]) self.addCleanup(client_context.drop_user, 'admin', 'ro-admin') users_db_auth.add_user('user', 'pass', roles=["userAdmin", "readWrite"]) self.addCleanup(remove_all_users, users_db_auth) # Non-root client. listener = EventListener() client = rs_or_single_client_noauth(event_listeners=[listener]) admin_db = client.admin users_db = client.pymongo_test other_db = client.pymongo_test1 self.assertRaises(OperationFailure, users_db.test.find_one) self.assertEqual(listener.started_command_names(), ['find']) listener.reset() # Regular user should be able to query its own db, but # no other. users_db.authenticate('user', 'pass') if client_context.version.at_least(3, 0): self.assertEqual(listener.started_command_names()[0], 'saslStart') else: self.assertEqual(listener.started_command_names()[0], 'getnonce') self.assertEqual(0, users_db.test.count_documents({})) self.assertRaises(OperationFailure, other_db.test.find_one) listener.reset() # Admin read-only user should be able to query any db, # but not write. admin_db.authenticate('ro-admin', 'pass') if client_context.version.at_least(3, 0): self.assertEqual(listener.started_command_names()[0], 'saslStart') else: self.assertEqual(listener.started_command_names()[0], 'getnonce') self.assertEqual(None, other_db.test.find_one()) self.assertRaises(OperationFailure, other_db.test.insert_one, {}) # Close all sockets. client.close() listener.reset() # We should still be able to write to the regular user's db. self.assertTrue(users_db.test.delete_many({})) names = listener.started_command_names() if client_context.version.at_least(4, 4, -1): # No speculation with multiple users (but we do skipEmptyExchange). self.assertEqual(names, [ 'saslStart', 'saslContinue', 'saslStart', 'saslContinue', 'delete' ]) elif client_context.version.at_least(3, 0): self.assertEqual(names, [ 'saslStart', 'saslContinue', 'saslContinue', 'saslStart', 'saslContinue', 'saslContinue', 'delete' ]) else: self.assertEqual(names, [ 'getnonce', 'authenticate', 'getnonce', 'authenticate', 'delete' ]) # And read from other dbs... self.assertEqual(0, other_db.test.count_documents({})) # But still not write to other dbs. self.assertRaises(OperationFailure, other_db.test.insert_one, {})
def test_authenticate_add_remove_user(self): # "self.client" is logged in as root. auth_db = self.client.pymongo_test db = rs_or_single_client_noauth().pymongo_test # Configuration errors self.assertRaises(ValueError, auth_db.add_user, "user", '') self.assertRaises(TypeError, auth_db.add_user, "user", 'password', 15) self.assertRaises(TypeError, auth_db.add_user, "user", 'password', 'True') self.assertRaises(ConfigurationError, auth_db.add_user, "user", 'password', True, roles=['read']) if client_context.version.at_least(2, 5, 3, -1): with warnings.catch_warnings(): warnings.simplefilter("error", DeprecationWarning) self.assertRaises(DeprecationWarning, auth_db.add_user, "user", "password") self.assertRaises(DeprecationWarning, auth_db.add_user, "user", "password", True) with ignore_deprecations(): self.assertRaises(ConfigurationError, auth_db.add_user, "user", "password", digestPassword=True) # Add / authenticate / remove auth_db.add_user("mike", "password", roles=["dbOwner"]) self.addCleanup(remove_all_users, auth_db) self.assertRaises(TypeError, db.authenticate, 5, "password") self.assertRaises(TypeError, db.authenticate, "mike", 5) self.assertRaises(OperationFailure, db.authenticate, "mike", "not a real password") self.assertRaises(OperationFailure, db.authenticate, "faker", "password") db.authenticate("mike", "password") db.logout() # Unicode name and password. db.authenticate(u"mike", u"password") db.logout() auth_db.remove_user("mike") self.assertRaises(OperationFailure, db.authenticate, "mike", "password") # Add / authenticate / change password self.assertRaises(OperationFailure, db.authenticate, "Gustave", u"Dor\xe9") auth_db.add_user("Gustave", u"Dor\xe9", roles=["dbOwner"]) db.authenticate("Gustave", u"Dor\xe9") # Change password. auth_db.add_user("Gustave", "password", roles=["dbOwner"]) db.logout() self.assertRaises(OperationFailure, db.authenticate, "Gustave", u"Dor\xe9") self.assertTrue(db.authenticate("Gustave", u"password")) if not client_context.version.at_least(2, 5, 3, -1): # Add a readOnly user with ignore_deprecations(): auth_db.add_user("Ross", "password", read_only=True) db.logout() db.authenticate("Ross", u"password") self.assertTrue( auth_db.system.users.find({ "readOnly": True }).count())
def setUp(self): client_context.create_user('admin', 'admin', 'pass') client_context.create_user( 'pymongo_test', 'user', 'pass', ['userAdmin', 'readWrite']) self.client = rs_or_single_client_noauth( username='******', password='******')
def test_authenticate_add_remove_user(self): # "self.client" is logged in as root. auth_db = self.client.pymongo_test db = rs_or_single_client_noauth().pymongo_test # Configuration errors self.assertRaises(ValueError, auth_db.add_user, "user", '') self.assertRaises(TypeError, auth_db.add_user, "user", 'password', 15) self.assertRaises(TypeError, auth_db.add_user, "user", 'password', 'True') self.assertRaises(ConfigurationError, auth_db.add_user, "user", 'password', True, roles=['read']) if client_context.version.at_least(2, 5, 3, -1): with warnings.catch_warnings(): warnings.simplefilter("error", DeprecationWarning) self.assertRaises(DeprecationWarning, auth_db.add_user, "user", "password") self.assertRaises(DeprecationWarning, auth_db.add_user, "user", "password", True) with ignore_deprecations(): self.assertRaises(ConfigurationError, auth_db.add_user, "user", "password", digestPassword=True) # Add / authenticate / remove auth_db.add_user("mike", "password", roles=["dbOwner"]) self.addCleanup(remove_all_users, auth_db) self.assertRaises(TypeError, db.authenticate, 5, "password") self.assertRaises(TypeError, db.authenticate, "mike", 5) self.assertRaises(OperationFailure, db.authenticate, "mike", "not a real password") self.assertRaises(OperationFailure, db.authenticate, "faker", "password") db.authenticate("mike", "password") db.logout() # Unicode name and password. db.authenticate(u("mike"), u("password")) db.logout() auth_db.remove_user("mike") self.assertRaises(OperationFailure, db.authenticate, "mike", "password") # Add / authenticate / change password self.assertRaises(OperationFailure, db.authenticate, "Gustave", u("Dor\xe9")) auth_db.add_user("Gustave", u("Dor\xe9"), roles=["dbOwner"]) db.authenticate("Gustave", u("Dor\xe9")) # Change password. auth_db.add_user("Gustave", "password", roles=["dbOwner"]) db.logout() self.assertRaises(OperationFailure, db.authenticate, "Gustave", u("Dor\xe9")) self.assertTrue(db.authenticate("Gustave", u("password"))) if not client_context.version.at_least(2, 5, 3, -1): # Add a readOnly user with ignore_deprecations(): auth_db.add_user("Ross", "password", read_only=True) db.logout() db.authenticate("Ross", u("password")) self.assertTrue( auth_db.system.users.find({"readOnly": True}).count())
def setUp(self): client_context.create_user('admin', 'admin', 'pass') client_context.create_user('pymongo_test', 'user', 'pass', ['userAdmin', 'readWrite']) self.client = rs_or_single_client_noauth(username='******', password='******')
def test_scram(self): host, port = client_context.host, client_context.port client_context.create_user('testscram', 'sha1', 'pwd', roles=['dbOwner'], mechanisms=['SCRAM-SHA-1']) client_context.create_user('testscram', 'sha256', 'pwd', roles=['dbOwner'], mechanisms=['SCRAM-SHA-256']) client_context.create_user('testscram', 'both', 'pwd', roles=['dbOwner'], mechanisms=['SCRAM-SHA-1', 'SCRAM-SHA-256']) client = rs_or_single_client_noauth(event_listeners=[self.listener]) self.assertTrue(client.testscram.authenticate('sha1', 'pwd')) client.testscram.command('dbstats') client.testscram.logout() self.assertTrue( client.testscram.authenticate('sha1', 'pwd', mechanism='SCRAM-SHA-1')) client.testscram.command('dbstats') client.testscram.logout() self.assertRaises(OperationFailure, client.testscram.authenticate, 'sha1', 'pwd', mechanism='SCRAM-SHA-256') self.assertTrue(client.testscram.authenticate('sha256', 'pwd')) client.testscram.command('dbstats') client.testscram.logout() self.assertTrue( client.testscram.authenticate('sha256', 'pwd', mechanism='SCRAM-SHA-256')) client.testscram.command('dbstats') client.testscram.logout() self.assertRaises(OperationFailure, client.testscram.authenticate, 'sha256', 'pwd', mechanism='SCRAM-SHA-1') self.listener.results.clear() self.assertTrue(client.testscram.authenticate('both', 'pwd')) started = self.listener.results['started'][0] self.assertEqual(started.command.get('mechanism'), 'SCRAM-SHA-256') client.testscram.command('dbstats') client.testscram.logout() self.assertTrue( client.testscram.authenticate('both', 'pwd', mechanism='SCRAM-SHA-256')) client.testscram.command('dbstats') client.testscram.logout() self.assertTrue( client.testscram.authenticate('both', 'pwd', mechanism='SCRAM-SHA-1')) client.testscram.command('dbstats') client.testscram.logout() self.assertRaises(OperationFailure, client.testscram.authenticate, 'not-a-user', 'pwd') if HAVE_STRINGPREP: # Test the use of SASLprep on passwords. For example, # saslprep(u'\u2136') becomes u'IV' and saslprep(u'I\u00ADX') # becomes u'IX'. SASLprep is only supported when the standard # library provides stringprep. client_context.create_user('testscram', u'\u2168', u'\u2163', roles=['dbOwner'], mechanisms=['SCRAM-SHA-256']) client_context.create_user('testscram', u'IX', u'IX', roles=['dbOwner'], mechanisms=['SCRAM-SHA-256']) self.assertTrue(client.testscram.authenticate( u'\u2168', u'\u2163')) client.testscram.command('dbstats') client.testscram.logout() self.assertTrue( client.testscram.authenticate(u'\u2168', u'\u2163', mechanism='SCRAM-SHA-256')) client.testscram.command('dbstats') client.testscram.logout() self.assertTrue(client.testscram.authenticate(u'\u2168', u'IV')) client.testscram.command('dbstats') client.testscram.logout() self.assertTrue(client.testscram.authenticate(u'IX', u'I\u00ADX')) client.testscram.command('dbstats') client.testscram.logout() self.assertTrue( client.testscram.authenticate(u'IX', u'I\u00ADX', mechanism='SCRAM-SHA-256')) client.testscram.command('dbstats') client.testscram.logout() self.assertTrue(client.testscram.authenticate(u'IX', u'IX')) client.testscram.command('dbstats') client.testscram.logout() client = rs_or_single_client_noauth( u'mongodb://\u2168:\u2163@%s:%d/testscram' % (host, port)) client.testscram.command('dbstats') client = rs_or_single_client_noauth( u'mongodb://\u2168:IV@%s:%d/testscram' % (host, port)) client.testscram.command('dbstats') client = rs_or_single_client_noauth( u'mongodb://*****:*****@%s:%d/testscram' % (host, port)) client.testscram.command('dbstats') client = rs_or_single_client_noauth( u'mongodb://*****:*****@%s:%d/testscram' % (host, port)) client.testscram.command('dbstats') self.listener.results.clear() client = rs_or_single_client_noauth( 'mongodb://*****:*****@%s:%d/testscram' % (host, port), event_listeners=[self.listener]) client.testscram.command('dbstats') if client_context.version.at_least(4, 4, -1): # Speculative authentication in 4.4+ sends saslStart with the # handshake. self.assertEqual(self.listener.results['started'], []) else: started = self.listener.results['started'][0] self.assertEqual(started.command.get('mechanism'), 'SCRAM-SHA-256') client = rs_or_single_client_noauth( 'mongodb://*****:*****@%s:%d/testscram?authMechanism=SCRAM-SHA-1' % (host, port)) client.testscram.command('dbstats') client = rs_or_single_client_noauth( 'mongodb://*****:*****@%s:%d/testscram?authMechanism=SCRAM-SHA-256' % (host, port)) client.testscram.command('dbstats') if client_context.is_rs: uri = ('mongodb://*****:*****@%s:%d/testscram' '?replicaSet=%s' % (host, port, client_context.replica_set_name)) client = single_client_noauth(uri) client.testscram.command('dbstats') db = client.get_database('testscram', read_preference=ReadPreference.SECONDARY) db.command('dbstats')
def test_scram(self): host, port = client_context.host, client_context.port client_context.create_user( 'testscram', 'sha1', 'pwd', roles=['dbOwner'], mechanisms=['SCRAM-SHA-1']) client_context.create_user( 'testscram', 'sha256', 'pwd', roles=['dbOwner'], mechanisms=['SCRAM-SHA-256']) client_context.create_user( 'testscram', 'both', 'pwd', roles=['dbOwner'], mechanisms=['SCRAM-SHA-1', 'SCRAM-SHA-256']) client = rs_or_single_client_noauth( event_listeners=[self.listener]) self.assertTrue( client.testscram.authenticate('sha1', 'pwd')) client.testscram.command('dbstats') client.testscram.logout() self.assertTrue( client.testscram.authenticate( 'sha1', 'pwd', mechanism='SCRAM-SHA-1')) client.testscram.command('dbstats') client.testscram.logout() self.assertRaises( OperationFailure, client.testscram.authenticate, 'sha1', 'pwd', mechanism='SCRAM-SHA-256') self.assertTrue( client.testscram.authenticate('sha256', 'pwd')) client.testscram.command('dbstats') client.testscram.logout() self.assertTrue( client.testscram.authenticate( 'sha256', 'pwd', mechanism='SCRAM-SHA-256')) client.testscram.command('dbstats') client.testscram.logout() self.assertRaises( OperationFailure, client.testscram.authenticate, 'sha256', 'pwd', mechanism='SCRAM-SHA-1') self.listener.results.clear() self.assertTrue( client.testscram.authenticate('both', 'pwd')) started = self.listener.results['started'][0] self.assertEqual(started.command.get('mechanism'), 'SCRAM-SHA-256') client.testscram.command('dbstats') client.testscram.logout() self.assertTrue( client.testscram.authenticate( 'both', 'pwd', mechanism='SCRAM-SHA-256')) client.testscram.command('dbstats') client.testscram.logout() self.assertTrue( client.testscram.authenticate( 'both', 'pwd', mechanism='SCRAM-SHA-1')) client.testscram.command('dbstats') client.testscram.logout() self.assertRaises( OperationFailure, client.testscram.authenticate, 'not-a-user', 'pwd') if HAVE_STRINGPREP: # Test the use of SASLprep on passwords. For example, # saslprep(u'\u2136') becomes u'IV' and saslprep(u'I\u00ADX') # becomes u'IX'. SASLprep is only supported when the standard # library provides stringprep. client_context.create_user( 'testscram', u'\u2168', u'\u2163', roles=['dbOwner'], mechanisms=['SCRAM-SHA-256']) client_context.create_user( 'testscram', u'IX', u'IX', roles=['dbOwner'], mechanisms=['SCRAM-SHA-256']) self.assertTrue( client.testscram.authenticate(u'\u2168', u'\u2163')) client.testscram.command('dbstats') client.testscram.logout() self.assertTrue( client.testscram.authenticate( u'\u2168', u'\u2163', mechanism='SCRAM-SHA-256')) client.testscram.command('dbstats') client.testscram.logout() self.assertTrue( client.testscram.authenticate(u'\u2168', u'IV')) client.testscram.command('dbstats') client.testscram.logout() self.assertTrue( client.testscram.authenticate(u'IX', u'I\u00ADX')) client.testscram.command('dbstats') client.testscram.logout() self.assertTrue( client.testscram.authenticate( u'IX', u'I\u00ADX', mechanism='SCRAM-SHA-256')) client.testscram.command('dbstats') client.testscram.logout() self.assertTrue( client.testscram.authenticate(u'IX', u'IX')) client.testscram.command('dbstats') client.testscram.logout() client = rs_or_single_client_noauth( u'mongodb://\u2168:\u2163@%s:%d/testscram' % (host, port)) client.testscram.command('dbstats') client = rs_or_single_client_noauth( u'mongodb://\u2168:IV@%s:%d/testscram' % (host, port)) client.testscram.command('dbstats') client = rs_or_single_client_noauth( u'mongodb://*****:*****@%s:%d/testscram' % (host, port)) client.testscram.command('dbstats') client = rs_or_single_client_noauth( u'mongodb://*****:*****@%s:%d/testscram' % (host, port)) client.testscram.command('dbstats') self.listener.results.clear() client = rs_or_single_client_noauth( 'mongodb://*****:*****@%s:%d/testscram' % (host, port), event_listeners=[self.listener]) client.testscram.command('dbstats') started = self.listener.results['started'][0] self.assertEqual(started.command.get('mechanism'), 'SCRAM-SHA-256') client = rs_or_single_client_noauth( 'mongodb://*****:*****@%s:%d/testscram?authMechanism=SCRAM-SHA-1' % (host, port)) client.testscram.command('dbstats') client = rs_or_single_client_noauth( 'mongodb://*****:*****@%s:%d/testscram?authMechanism=SCRAM-SHA-256' % (host, port)) client.testscram.command('dbstats') if client_context.is_rs: uri = ('mongodb://*****:*****@%s:%d/testscram' '?replicaSet=%s' % (host, port, client_context.replica_set_name)) client = single_client_noauth(uri) client.testscram.command('dbstats') db = client.get_database( 'testscram', read_preference=ReadPreference.SECONDARY) db.command('dbstats')
def test_scram(self): # Step 1: create users client_context.create_user('testscram', 'sha1', 'pwd', roles=['dbOwner'], mechanisms=['SCRAM-SHA-1']) client_context.create_user('testscram', 'sha256', 'pwd', roles=['dbOwner'], mechanisms=['SCRAM-SHA-256']) client_context.create_user('testscram', 'both', 'pwd', roles=['dbOwner'], mechanisms=['SCRAM-SHA-1', 'SCRAM-SHA-256']) # Step 2: verify auth success cases client = rs_or_single_client_noauth(username='******', password='******', authSource='testscram') client.testscram.command('dbstats') client = rs_or_single_client_noauth(username='******', password='******', authSource='testscram', authMechanism='SCRAM-SHA-1') client.testscram.command('dbstats') client = rs_or_single_client_noauth(username='******', password='******', authSource='testscram') client.testscram.command('dbstats') client = rs_or_single_client_noauth(username='******', password='******', authSource='testscram', authMechanism='SCRAM-SHA-256') client.testscram.command('dbstats') # Step 2: SCRAM-SHA-1 and SCRAM-SHA-256 client = rs_or_single_client_noauth(username='******', password='******', authSource='testscram', authMechanism='SCRAM-SHA-1') client.testscram.command('dbstats') client = rs_or_single_client_noauth(username='******', password='******', authSource='testscram', authMechanism='SCRAM-SHA-256') client.testscram.command('dbstats') self.listener.results.clear() client = rs_or_single_client_noauth(username='******', password='******', authSource='testscram', event_listeners=[self.listener]) client.testscram.command('dbstats') if client_context.version.at_least(4, 4, -1): # Speculative authentication in 4.4+ sends saslStart with the # handshake. self.assertEqual(self.listener.results['started'], []) else: started = self.listener.results['started'][0] self.assertEqual(started.command.get('mechanism'), 'SCRAM-SHA-256') # Step 3: verify auth failure conditions client = rs_or_single_client_noauth(username='******', password='******', authSource='testscram', authMechanism='SCRAM-SHA-256') with self.assertRaises(OperationFailure): client.testscram.command('dbstats') client = rs_or_single_client_noauth(username='******', password='******', authSource='testscram', authMechanism='SCRAM-SHA-1') with self.assertRaises(OperationFailure): client.testscram.command('dbstats') client = rs_or_single_client_noauth(username='******', password='******', authSource='testscram') with self.assertRaises(OperationFailure): client.testscram.command('dbstats') if client_context.is_rs: host, port = client_context.host, client_context.port uri = ('mongodb://*****:*****@%s:%d/testscram' '?replicaSet=%s' % (host, port, client_context.replica_set_name)) client = single_client_noauth(uri) client.testscram.command('dbstats') db = client.get_database('testscram', read_preference=ReadPreference.SECONDARY) db.command('dbstats')